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1. Introduction 


1.1 Document Purpose and Scope 


This document introduces the background and functions of the Intel® Education Theft 
Deterrent client version 4.x. The intended audiences of this document are the administrator 
and support personnel of the Theft Deterrent system. 


This document also provides instructions on how to unlock devices. However, the detailed 
unlocking procedure varies from institution to institution and therefore it is beyond the 
scope of this document. 


1.2 Terminology 


1.2.1 Abbreviations 


The server Intel® Education Theft Deterrent server 





The client Intel® Education Theft Deterrent client 


1.2.2. Definitions 


Note: The term device is used to refer to Intel® Education Tablet and Intel® classmate PC. 


a package from the server successfully. 


Remaining Cycles The number of times that a device can reboot or restore from 
sleep or hibernate before it is locked. 


This is not applicable to Intel® Education Tablet. 


Provision Number (S/N) | A 20-digit hexadecimal number generated from the Public Key of 
the server. 


Unlock Code A 10-digit number generated by the server for unlocking a device. 
Offline Package A file named tcopp.bin for unlocking a device or updating the 
confidential information on a device. 


1.3 Reference Document 


Intel® Education Theft Deterrent server User Manual 2013-02 








Intel® Education Theft Deterrent Deployment Guide 2013-02 
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2. What is Theft Deterrent client 


Intel® Education Theft Deterrent client (client) is the client component of the Intel® 
Education Theft Deterrent system, which is designed to deter theft of Intel® Education 
Tablet and Intel® classmate PC. 


2.1 Theft Deterrent client Requirements 


The client is a pre-installed component on the device. The only requirement is to make sure 
that the client has a network connection to the Theft Deterrent server (server). 


For information about the system requirements of the device, see the Intel® Education Theft 
Deterrent Deployment Guide. 


2.2 First Time Setup and Activation 


In general, the client is pre-activated in factory by default. You can skip this section if your 
client is already activated. 


To ensure that your client is activated, you can check the client icon to make sure that the 


i 


client is not in Inactive status. 


If your client has not been activated, follow these steps to activate your client with the 
server: 


1. Ensure that the client is connected with the server. An activation request will be sent to 
the server automatically. 

2. After the server approves your activation request, a reboot dialog will pop up on your 
device. The dialog contains a countdown timer that starts from 60 seconds and the 
system will automatically reboot after 60 seconds. 


Figure 1 - Reboot Dialog 


Reboot 

: : System will restart to update the security files. Please 
System will restart to update the security files. Please save all your work in progress. 
save all your work in progress. 


Time remaining: 58 seconds Time remaining: 54 seconds 


Restan Now 


Reboot now 





Intel® Education Tablet Intel® classmate PC 


During the activation process, the server sets the Expiration Date and the Remaining Cycles 
for the client to enable the Theft Deterrent mechanism. Once the client is activated, it can 





operate automatically without user interaction. It can be verified by the status icon -7) 


2.3 How Theft Deterrent client Works 


After a client is activated, the server sets the Expiration Date and the Remaining Cycles for 
the client. By default, the Expiration Date is 90 days from the current date and the 


Intel® Education Theft Deterrent client User Manual Revision 1 


Remaining Cycles is 300. The server admin can configure the default values according to 
his/her needs. 


When either of the following cases occurs, the device is locked after it reboots or restores 
from sleep or hibernate: 


e The Expiration Date has passed. 
e The Remaining Cycles decreases to 0. 


When either of the values is about to expire, the server resets them to the default values 
automatically. Therefore, you must ensure the device is connected with the server to avoid 
device lock. 


Note: The Remaining Cycles is not applicable to Intel® Education Tablet. 


Back to menu 
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3. Functions of Theft Deterrent client 


In general, once the client is set up correctly as shown in First Time Setup and Activation, 
minimal manual changes are needed. 


3.1 View and Verify Theft Deterrent client Status 


To view or verify the status and settings of the client, click the Theft Deterrent client 
DB. 


application icon “= on the desktop to open the client. 
Figure 2 - Theft Deterrent client 


x 


(intel) Theft Deterrent client 


(intel Theft Deterrent client 
ee) Device Information Settings 





Device Status 
Device Status: Norma 
Boot Tick: 31 a 


Expiration Date: 5/26/2013 





Remaining Cycles: 299 


System Information 
Hardware ID: C89CDC934448 
Hardware ID OCVESTSF AGE Device Name: TD2-Windows8-1 


Devece Masry andeced Salata ahicaba Group Name: 
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On the Device Information page, check the status icon in the client status table. If you see 
an error message, see the error message table. 


The following information is displayed on the Device Information page: 


package from the server successfully. 


Remaining The number of times that you can reboot the device or restore the device 
Cycles from sleep or hibernate until it is locked. This is not applicable to Intel® 


Education Tablet. 


Note: On Android, the client icon is displayed in the system notification area when the client 
is About to Expire, is downloading upgrade package, or has failed to upgrade. You can tap 
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the tray icon to view detailed notifications and tap the notifications to perform the required 
actions. 


3.2 Configure Connection Settings 


In general, the connection settings in the client are pre-configured in factory by default. You 
can Skip this section if the settings are pre-configured. 


Otherwise, you can configure the connection settings manually to ensure that the client is 
communicating with the server. Follow these steps: 


1. Select the Settings tab, click the Edit button. 

2. If you see a popup window, input the client password and then click OK. Please contact 
the designated support personnel if you do not have the password. 

3. Input the IP address or the URL of the server in the Server Address/URL field and then 
click Save. 

4. \f you need to configure proxy to access the server, click the Set up Proxy link and select 

a setting option of your choice: 

a. If the proxy server address has been configured in the operating system, select Use 
system proxy settings. Otherwise, select Manual proxy configuration and input 
the server address and port number. 

b. Input the username and password of the proxy server if proxy authentication is 
required and then click OK. 

5. Click the Test button to test the connection. 

a. If you see the message “Connection is successful 
server after a while. No further action is required. 

b. If you see the message “Connection failed” or “Connection failed because of invalid 
proxy’, check the server address and proxy settings and make sure that you are 
connected to the correct network. Then test the connection again. 


”) 
| 


, the client will connect with the 


Figure 3 - Connection Settings 


‘y 


(intel Theft Deterrent client 


STE Device Information 


Server Setting 


(inteD Theft Deterrent client 





Education eee §6Setlings 


Server Address / URL: 























Server Address / URL 197.168.5,.50 Server Name: 
Server Narre: WoFld 
Setup Prowy Set up Proxy.. 
Se up Prowy 

© Connection is successful CReat Setting 

Language: | English 
Test Edit 
Intel® Education Tablet Intel® classmate PC 


3.3. Change Display Language 


You can configure the client to display one of the following languages: 


Language On Intel® Education Tablet | On Intel® classmate PC 
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3.3.1 Change Language on Intel® Education Tablet 





On Intel® Education Tablet, the client displays the Android system language. To change the 
display language of the client, follow these steps: 


1. Open Settings in Android desktop. 

2. Select Language & input from the left menu and then click Language. 

3. Select the language of your choice and the display language of the client is changed 
accordingly. 


Figure 4 - Change Display Language (Intel® Education Tablet) 
Language 
Norsk bokmal 
Polski 
Portugués (Brasil) 
Portugués (Portugal) 
Romana 
Rumantsch 


Slovenécina 





Note: Only the following languages are supported in the current client version. If you select a 
system language other than these, the client is displayed in English. 


English (United States) 
3 oF-J ale) m(ie-lelem lal leles) 
Portugués (Brasil) 


Turkce 


Francais (France) 





-40= 
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3.3.2 Change Language on Intel® classmate PC 


To change the display language of the client on Intel® classmate PC, select the language of 
your choice and then click Apply on the Settings page. 


Figure 5 - Change Display Language (Intel® classmate PC) 
fo 


(intel) Theft Deterrent client 


SOV) Device Information | Settings 
Server Setting 
Server Address / URL: 


Server Name: 








Set up Proxy.. 





Client Setting 





Language: | English 











3.4 Login Theft Deterrent server to Generate Unlock Code 


You can set up your student account on the server. In case when your device is locked, you 
can generate the unlock code by yourself. 


3.4.1 Set up Student Account 


To set up your student account, follow these steps: 


1. Open the server webpage for student. 
e Windows: Right-click the client tray icon and click Log in Theft Deterrent server 
from the tray menu. 


: Open Theft Deterrent client | 
| Help 


About 
Tog in Theit Deterrent server | 





e Debian: Click the client tray icon and click Log in Theft Deterrent server from the 
tray menu. 


Open Theft Deterrent client 


Help 


About 


Log in Theft Deterrent server 





e Android: Open the client and click the =, icon on the upper-right corner and then 
select Log in server. 


2. On the server webpage for student, set up your account by inputting your name, 
password and email. 


a i 
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Note: The password must be 6 to 12 characters in length. 


3.4.2 Generate Unlock Code by Student 


In case when your device is locked, you can borrow a device to generate the unlock code for 
your device. Follow these steps: 


1. Open the server webpage for student. 

2. Log in with the Hardware ID displayed on the lock screen and your account password. 

3. Onthe home page, click Generate Unlock Code. 

4. Input the Boot Tick displayed on the lock screen and then click Generate to generate the 
unlock code. 


Note: By default, you can only generate unlock code for 3 times within 30 days. The server 
admin can configure this default value according to his/her needs. 


Back to menu 


-12- 
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4. Unlock a Device 


A device can be locked or unlocked based on a set of policy defined by the server admin. The 
most common reasons a device is locked are as follows: 


e The device is locked automatically when the Expiration Date passes the current date 
or the Remaining Cycles decreases to 0. 

e The device is locked manually by the server admin when, for example, this device is 
reported stolen. 


This section introduces the steps to unlock devices. The unlocking procedures for Intel® 
Education Tablet and Intel® classmate PC are different. 


e How to Unlock Intel® Education Tablet 
e How to Unlock Intel® classmate PC 


Note: If unlocking failed, the device might reboot automatically after the unlocking process 
but returns to the lock screen. For more information, see Resolve Unlocking Errors. 


4.1 Howto Unlock Intel® Education Tablet 
If you see a lock screen as shown in Figure 6, unlock the device with one of the following 
methods: 


e Unlock with Unlock Code 
e Unlock through Network 
e Unlock with Removable Devices 


Note: You must unlock the device with removable devices if the server is not available. 


For security reasons, the system shuts down automatically 20 minutes after the lock screen 
is displayed. Hardware buttons such as the power and volume buttons are not supported 
when the device displays the lock screen. 


Figure 6 - Intel® Education Tablet Lock Screen 


Education 


Intel® Education Theft Deterrent 


a 


The system will shut down in 00:19:07 


te eamiaiceaaarcial } ish4| Uy lock with UJ lock '@ielel= 
2 a Talelelm tale ele) (ele) aeele(<mYZel0 Me) ele-liaicle 
Hardware ID: 001£67788863 }1§2| or generated to unlock the device 


ol al at 3 \=1- 1-10) a Certificate expired 


Expiration Date: 2013-05-09 GMT+00:00 Tied Slaliele qamalgelelelem\ iim) 2018) 
i Connect to Theft Deterrent server 
Boot Tick: 4 * dalgelllelamigt-Mal=iay (ole @coml lel (ole atal 
device. 


Provision Number: 57-48-A5-C7-C9-63-9C-CB-1A-28 

Version: 4.0.40100.2201 = | Blallele an iiaal-\claalen's-]e)(-m Bic\ilarm 
Plug in the removable device with a 
package to unlock the device or 
update security information. 


) 





To change the display language, click the button at the bottom-left side of the page and 
then select a language of your choice. 


432 
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4.1.1 Unlock with Unlock Code 


To unlock the device with the unlock code, follow these steps: 


1. Provide the designated support personnel the Hardware ID and the Boot Tick shown on 
the lock screen to request an unlock code. 

2. Onthe lock screen, click Unlock with Unlock Code. 

3. Input the unlock code and then click Unlock to unlock the device. 


4.1.2 Unlock through Network 


To unlock the device through the network, ensure that the required network is available and 
follow these steps: 


1. Click Unlock through Network. 
2. Input the server address, leave the default network type and then select your network. 
Input the password of the network if required. 


Figure 7 - Unlock through Network 


Cla lole aaalaelelejam\ (aa 1e)s 


Server address: Unlock 


mNi-lit-le)(-malsav elem Select Network ~ 





If you need to set up the proxy server, click the Set up proxy server link. 


4. The 7] icon is shown next to the Available networks field when the network 
connection between the device and the server is established. Click the Unlock button to 
unlock the device. 


Available network: 





4.1.3 Unlock with Removable Devices 


To unlock the device with a removable device such as a USB drive or a SD card, make sure 
the device to be unlocked has the corresponding physical interface and follow these steps: 


1. Provide the designated support personnel the Hardware ID, Boot Tick, and the Provision 
Number shown on the lock screen to request an offline package. 

2. Copy the offline package to a removable device. 

3. Insert the removable device to the locked device and then click Unlock with Removable 
Devices to unlock the device. 


Note: Do not rename the offline package. 


4.2 Howto Unlock Intel® classmate PC 


If you see a lock screen as shown in Figure 8, unlock the device with one of the following 
methods: 


e Unlock with Unlock Code 
e Unlock with USB 


-14- 
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Note: You must unlock the device with USB if the server is not available. 


Figure 8 - Intel® classmate PC Lock Screen 


Sorry, The computer boot certificate has expired and the machine is now 
locked. Please contact your computer administrator to obtain an unlock 
code for your computer to be unlocked. 

Unique Hardware ID : 9C -B7-OD-17-59-56 
Boot Tick : 00 00 26 
S/N : 07-0C -01-03-05 -OA -OB -07 -07 -OR -06 -OD -05 -07 -OF -07 -09 -OD -03-0£ 


fre you ready to enter the unlock code7 
(Press Y for Yes, or N for No. System will shut down if you type N.) 





4.2.1 Unlock with Unlock Code 


To unlock the device with the unlock code, follow these steps: 


1. Provide the designated support personnel the Hardware ID and the Boot Tick shown on 
the lock screen to request an unlock code. 

2. Onthe lock screen, type Y. 

3. Input the unlock code and then press ENTER to unlock the device. 


4.2.2 Unlock with USB 


To unlock the device with a USB drive, follow these steps: 


1. Provide the designated support personnel the Hardware ID and the Provision Number 
(S/N) shown on the lock screen to request an offline package. 

2. Copy the offline package to a USB drive. 

3. Insert the USB drive to the device and then press CTRL+INSERT to unlock the device. 


Note: Do not rename the offline package. 


4.3. Additional Steps 


Right after a device is unlocked, the client is set with a Remaining Cycles or Expiration Date 
that would expire soon: 


e Intel® Education Tablet: expires after 10 Remaining Cycles. 
e Intel® classmate PC: expires after 10 days. 


Therefore, you must connect the device with the server to renew the values of the 
Remaining Cycles and the Expiration Date to avoid device lock again. 


Back to menu 


£452 
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5. Troubleshooting Tips 


5.1 Theft Deterrent client Status 


Device Status Tray Description 
Icon 


Permanent The client is working correctly. | No action is required. 
Its Expiration Date and 
Remaining Cycles are set to a 
value that will never expire. 


About to Expire The device will be locked in a | Make sure that the client 
few days or after a few boots, | is connected with the 
sleep, or hibernation. server so that the 

Expiration Date and 
Remaining Cycles will be 


The client is working correctly. | No action is required. 


renewed automatically. 


Downloading upgrade - The client is downloading an | Make sure that the client 
package Vv upgrade package. is connected with the 
oJ 


server and do not restart 
the system. 


Upgrading Theft -* The client upgrade is_ in| In Windows, no action is 
Deterrent client progress. required. In Android, 
confirm to install the 


upgrade package. 


-_ The client has error. Check error messages 
and error codes. 
Inactive | The client has not been | Connect the client with 
: activated and thus is not| the server and_ then 
protected by the _ Theft | contact the server admin 
Deterrent mechanism. to activate the client. 


5.2 Error Message 





lf an error message is displayed on the client, follow these solutions: 


Cannot connect with the server Connect the client with the server. 


Waiting for server approval... Wait for the server to approve the client and reboot the 
device when you see the popup dialog requesting system 
reboot. 





2G= 
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Rejected by the server Make sure that the client is connected with the correct 
server. 

Connected with the wrong server | Make sure that the client is connected with the correct 
server. 


The server is busy. Please wait... | Wait a while and check the status again. 
The server is under maintenance | Wait awhile and check the status again. 


Boot Tick inconsistent Contact the designated support personnel to reset the 
Boot Tick value. 


Certificate download limit Contact the designated support personnel to reset the 
exceeded download limit. 


. Make sure that the network connection between the 
Download/ Upgrade Failed server and the client is successfully. Wait a while and 
check the status again. 


No Secure Storage Theft Deterrent is not supported in this device. 


5.3 Error Code 





If you see an error code on the client or on the Intel® Education Tablet lock screen, check the 
error codes in the following table: 


client Error Code_ | Unlock Screen | Description 
Error Code 


The TPM is disabled. 
| 
The TPM is deactivated. 


0X02010004 0X01010004 Error occurred during TPM initialization in the 
manufactory line. The possible reasons include the 
0X02010005 0X01010005 following: 
OX0201000A OXO101000A . The TPM does not have an Endorsement Key 
0X0201000C 0X0101000C pre-installed. 
. The TPM NV partition or NV index creation 
OX0201000E OX0101000E failed: 


0X0201000F 0X0101000F . The TPM status is incorrect. 
OX0201FFFF OX0101FFFF Internal error accessing the TPM. 





The following error codes describe the detailed reasons of unlocking failure during Unlock 
through Network: 


a 
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Unlock Screen | Description 
Error Code 


0x01040040 The server address is invalid because it is shorter than 4 characters. 


Cannot connect with the server because the proxy username or password is 
0x01040080 invalid. 


0x04020003 Server is busy. Please try again later. 

0x04020004 Server is under maintenance. Please try again later. 

0x04070001 Cannot unlock this device because it is not managed by the server yet. 
0x04070002 Cannot unlock this device because it is still waiting for the server’s approval. 


0x04070003 Cannot unlock this device because it has been rejected by the server. 


0x04070005 same as that in the device) 


Connected to the wrong server. (The server Public Key is not the same as 
0x04070006 that in the device) 


Failed to unlock the device because the Boot Tick in the client is inconsistent 
0x04070007 with that in the server. 


Failed to unlock the device because the certificate download limit exceeded 
0x04070008 the threshold in the server. 





Connected to the wrong server. (The Root Public Key in the server is not the 


5.4 Resolve Unlocking Errors 


lf your device reboots and returns to the lock screen after you unlock the device with an 
unlock code, make sure that you input the correct unlock code. If the problem remains, 
see Resolve Unlock Code Problems. 


If your device reboots and returns to the lock screen after you unlock the device with a 
removable device, make sure that you use the correct offline package. 


If you failed to unlock the device through the network, make sure that the device is 
connected with the server correctly. If you see an error code on the lock screen of Intel® 
Education Tablet, check the error codes for unlocking through network. 


5.5 Resolve Unlock Code Problems 


If you cannot unlock the device with the unlock code, this might be because the confidential 
information in the server is not the same as that in the client. Therefore, it is recommended 
that you update the confidential information with a removable device by following the 
unlock steps for your Intel® Education Tablet or Intel® classmate PC. 


The device is still locked after you update the confidential information. You can now unlock 
the device with an unlock code. 


Back to menu 
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6. FAQ 


1. What is the removable device format supported for unlocking? 


Answer: The FAT file system. 


2. What is the network protocol supported for device unlocking through network? 


Answer: The wireless encryption standards supported are as follows: 


e WPA 

e WPA2 

e WEP (Hex Security Key only) 
e NONE 


3. Why doesn’t the Theft Deterrent client start up? 


Answer: The client should be loaded automatically at system start-up. If your client is not 
running properly, reboot the device to start the client automatically. 


Also, if the client runs on Windows, you can check the following services from the Start 
menu -> Computer Management -> Services and Applications. 


e Theft Deterrent agent service 
e Theft Deterrent guardian service 


If either of the services is stopped, start it manually. If the problem remains, it is 
recommended that you re-install the client and guardian. 


4. Can! uninstall the Theft Deterrent client? If so, what will happen after uninstall? 


Answer: As a management program, the Theft Deterrent client should be kept running at all 
times. However, you can still uninstall the client but a protection application named Theft 
Deterrent guardian must be uninstalled before uninstalling the client. 


To uninstall the guardian and the client, follow these steps: 


e Windows: use Add or Remove Programs in the Control Panel. The client protection 
password might be required. 
e Android: use Manage applications in Settings. 


5. Will the About to Expire status affect the device functions? 


Answer: No. The About to Expire status only informs the user to ensure that the client is 
connected with the server so that the server can update this status automatically. 


6. Can the useable time be extended by modifying the device’s system time/date? 


Answer: For Intel® Education Tablet, changing the system time will not affect the useable 
time of the device. 


-19 - 


Intel® Education Theft Deterrent client User Manual Revision 1 


For Intel® classmate PC, changing the system time can extend the usable time of the device. 
However, this will not impact the Remaining Cycles and the device will eventually be locked 
after the Remaining Cycles decreases to 0. 


7. Why can’t the Theft Deterrent client connect with the server? 


Answer: If you cannot establish a connection between the client and the server, make sure 
that the following settings are configured: 


e The network settings are properly set up. 
e The antivirus software and the firewall on your device allow the following ports: 
5000, 7911, 8911, 9911. 


8. Why can’t! enter the login page when | open the server webpage for student? 


Answer: The login page is displayed only after the device owner completes the student 
account settings. Therefore, to generate an unlock code with a device borrowed from your 
classmate, ask your classmate to complete his or her account settings and then you can log 
in the server with your own Hardware ID and password. 


Back to menu 


290: 


